Don’t Freak Out…Yet

4 March 2015 by Katherine Kelly

A new flaw – dubbed FREAK (possibly the best security scare nickname yet) – is affecting a heck-tonne of Apple and Google users (including about a third of encrypted websites at last count). If you’re using one of the affected browsers, or visit an affected site, attackers could potentially decrypt your connection and steal your stuff or give you the gift of malware. Lemme break it down for you.

The flaw (Factoring RSA Export Keys), indexed as CVE-2015-0204, affects web browsers and devices for Apple and Android, and works by exploiting the vulnerability the moment a secure connection is made, but before encryption has begun. In English – attackers could potentially decrypt your login cookies and other important info from your HTTPS (secure) connection and see all of your things.

And now, in Tech: “A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204.”

At the moment there’s no evidence that the flaw has been exploited in the wild though, and both Apple and Google are hustling to get patches out.

The flaw is a throwback from an old government policy (which was given the chop about a decade ago) which meant US software devs had (read: were told) to use weaker encryption for encryption programs sold overseas, for the sake of ‘national security’.

This meant that they weren’t allowed to sell the software overseas if the encryption was longer than 512 bits (which is totally breakable with the right tools and a couple of hours/days grafting). Although this hasn’t been the policy for around a decade, some implementations of TSL and SSL protocols (security layers for Apple and Android) still use this level of strength of the tech.

What this basically means is that if you’re using Apple or Android devices, be cautious when using HTTPS sites (which is pretty ironic, as they are usually the more secure ones). Firefox for OS X and Android doesn’t seem to be affected, so maybe think about using that for now; and apparently Google is looking at delivering a version of Chrome for Macs that’s also immune so keep a beady eye out for that Mac-users.

This is even more poignant because of the government’s recent comments about leaving back doors in encryption to help national security, which would actually leave encryption potentially weakened again. Our CEO, Lawrence Jones, said: “I think what this highlights is that it’s so important we have a government that understands technology.

“Learning from our mistakes is important, but in this situation we can learn from the mistakes of others, namely the US government. As this latest security flaw demonstrates, if you weaken or get rid of encryption it will make transactions and doing business online unworkable and insecure. Hopefully, in light of this vulnerability, our PM will realise that previous suggestions about opening up online communication to government scrutiny is a risk that’s simply not worth taking.”

A patch was made available for OpenSSL in Jan, and will be available for Apple’s SecureTransport for OS X and iOS soon if it hasn’t been already, so ensure your updates are updatin’.

Unfortunately if you’re on older versions that are no longer getting updates, you’re kinda on your own here, and could be vulnerable when using these systems. You can visit freakattack.com (the site documenting the vulnerability) to find out if your browser is at risk.

Our security division Secarma explains that, at the end of the day, attacks evolve and it’s important to ensure that your security plan does too. Regular pen testing helps you stay on top of any potentially vulnerable areas in your system, which can then be protected.

For more information on our security solutions take a look at our website or give us a call on 0800 458 4545.